Get a Quote

Millions Impacted by DoorDash Data Breach

Popular food delivery business DoorDash revealed last week that hackers compromised the private information of nearly 5 million clients, delivery drivers, and restaurant merchants. The data breach occurred earlier this year—DoorDash indicated it originated sometime before May 4th while informing customers who joined the service after April 5th that they were not affected by the hack.

What kind of information was hacked? All the data that cybercriminals hold most dear: credit card and bank account numbers stored in DoorDash’s app, names and delivery locations, email addresses and phone numbers, and yes, even order histories. In addition, more than 100,000 delivery workers for the service had their driver’s license information stolen.

This kind of data theft can have serious implications: fraudulent purchases with stolen financial information. Brute-force attempts to use stolen login credentials to access other accounts. Spam phone calls and phishing emails. And, in the case of the stolen driver’s license numbers, even identity theft.

Why did it take four months for the breach to be revealed? Great question. DoorDash said it couldn’t determine the identity of the unauthorized third party that hacked into its systems and stole user information, so it can hide behind a cover of not wanting to release unconfirmed details about the hack. But a year ago, when users complained that their accounts had been hacked, DoorDash denied any problems. Its high public profile surely played into that.

In February, DoorDash raised $400 million in venture capital investment after totaling $785 million in 2018. In July, finance experts set the company’s value at more than $7 billion. And in August, DoorDash bought rival start-up Caviar for $410 million, “escalating,” as The New York Times put it, “the already intense competition in food delivery.”

All of that good PR could evaporate in a cloud of mistrust after this massive data breach. So what can you do to protect your information, whether you’re a DoorDash customer or not?

1. Change your password.

Although DoorDash claims that passwords weren’t part of this most recent data breach, they’re still encouraging their users to update their login credentials—especially if the same password was used for DoorDash and other accounts. New guidelines from the National Institute for Standards and Technology recommend long phrases that are easy for users to remember, interspersed with special characters (!, @, #, %, $) to add a unique spin.

2. Monitor your financial accounts for any fraudulent charges.

Security experts predict that the DoorDash cyber thieves may try to quickly make illicit charges using stolen credit card numbers before the data is dumped in dark corners of the Internet. Keep a close eye on the activity of any card or account linked to your DoorDash profile and report anything unusual to your banking institution right away.

3. Beware of suspicious phishing emails.

These could appear in many different formats: as a supposed security check from DoorDash, as a follow-up to the breach offering credit monitoring and identity theft prevention services, or as an inquiry for more information to determine whether your data was stolen in the DoorDash hack. These kinds of phishing attempts often offer a sophisticated second step for cyber criminals trying to fool users into giving up further information. The trick is to look for official email addresses behind the sender’s display name, to scan for any spelling or grammatical errors, and to NEVER click on any link or attachment in an email you’re not sure about.

4. Make sure your data is backed up in a remote location.

Although the DoorDash breach hasn’t been linked to any kind of ransomware yet, often the ultimate goal of hackers is to steal as much data as possible. That’s why it’s so important to protect your private information in a remote, off-site location separate from any infected network or virus-stricken computer.

5. Implement proactive security solutions to stop hacks like these in their tracks.

Real data protection works hard so data breaches never happen. That requires multiple layers of network security like real-time monitoring, intrusion detection, incident reporting, and event management—all solutions DoorDash should have had in place.

That kind of proactive approach makes a huge difference in today’s complicated cybersecurity world, with new strains of ransomware and different hacking tactics popping up every week. At CMIT Solutions, we work hard to protect our clients’ data, constructing robust layers of protection around every part of a company’s IT infrastructure. We constantly refine our cybersecurity approach to match the evolving IT landscape, and we work 24/7 to analyze, identify, and solve security problems—before they affect our clients.

Want to learn more about protecting your data? Concerned about the vulnerabilities that could come from a hacked DoorDash account? Contact CMIT Solutions today. We worry about IT so you don’t have to.


We can help. Whatever your technology problem is, chances are, we've seen it before.